The FCA is open to cloud – but what of the firms it regulates?

 The IT pro

One senior IT professional in the banking sector still holds fears about the security of cloud services.

“Cloud services worry me from a security perspective. If a small number of large global firms dominate these services and build up a lot of clients, they make themselves a very attractive target,” he said. “If a cloud provider hosts many banks and security is compromised, all their clients may be impacted in one attack.”

He said there is some safety in diversity. “My concern is putting a lot of eggs in one basket, as hackers may be able to do a lot of damage to millions of banking customers across many banks in one event.”

“Of course the banks and cloud providers will say that can never happen, but it will.”

He doubts there will be a rapid take-up of cloud services as a result of the FCA publication. “There may be specific products and services which lend themselves to this model, but I don't think the FCA note will cause much of a change.”

He said large banks have good economies of scale so cloud is less attractive as a way of cutting costs. “Can cloud providers really get lower cost hardware, software and resource than a large bank?”

“Any bank that thinks there is a business advantage is probably managing its IT very badly today. There is nothing clever about the cloud – it's just a bunch of servers in a datacentre with an internet connection. In the old days we used to call it a mainframe with networked terminals.”

The academic

Daniel Gozman, lecturer at Henley Business School, said the take-up of cloud services in the banking sector will be “gradual and cautiously optimistic”. 

He said that, as cloud becomes the norm in other industries, the financial services sector will naturally follow. “But this won’t happen overnight and there may be some notable enforcement actions along the way. Firms will be curious to learn how the regulator reacts to different models of cloud and different suppliers over time.”

Gozman said finance firms may decide that the costs outweigh the benefits in meeting proposed guidelines. “For example, the guidelines require that firms collate and analyse a great deal of information about their provider on an ongoing basis. Will this be worthwhile for cheaper pay-as-you-go software as a service?”

He added that suppliers may be unwilling or unable to disclose some of the required information and meet the obligations firms require of them. “They may also be unwilling to alter standard contracts to facilitate some of the obligations.” He said that, ultimately, it is the firm that remains responsible for meeting regulatory obligations.

The outsourcing specialist

Jean Louis Bravard, IT outsourcing consultant and former CIO at JP Morgan, said the fact that the FCA formally approved public cloud will liberate its use if the industry is capable of managing the right level of tiering and security. But he added that he had some doubts.

“I would applaud the move but ask the FCA to suggest which services can indeed be outsourced to the cloud, and which security technologies, and which outsourcing provider the FCA approves.”

He added that it would be interesting to hear what the FCA attitude is on data privacy between Europe and the US. “Not all cloud providers actually can certify that no data crosses the Atlantic.”

The lawyers

Paul Hinton, IT outsourcing lawyer at Kemp Little said there was a growing number of companies in the finance sector adopting cloud services. 

“However, a key stumbling block has been a lack of certainty as to exactly what standard in each case would likely be acceptable to the FCA or PRA, which places the risk on each firm to assess each supplier offering, and individually determine if it is sufficient to meet high-level and generic FCA/PRA standards,” said Hinton.

He pointed out that the FCA guidance consultation acknowledges that stakeholders have informed it that the lack of certainty about the FCA’s application of its rules in connection with outsourcing the cloud may be preventing the firms from using the cloud. He said a number of issues need to be resolved including a disparity between FCA and PRA rules and guidance in different financial services sectors.

“Ideally a clear regulated standard would be produced that cloud providers could subscribe to and comply with. The FCA guidance consultation in its current form is still rather generic and many of the points raised include suggestions about what firms should consider rather than clear advice about what will be deemed satisfactory for the FCA.”

He said the FCA needs to recruit more technology experts with experience of managing internal IT systems. “This would help ensure the rules are more directly specific about IT standards where necessary.”

Mark Lewis, head of outsourcing at law firm Berwin Leighton Paisner, does not expect a rush to the cloud. “At the moment, the FCA’s current thinking shows there is some way to go in bridging the gap between a public cloud utility service for financial institutions and the FCA’s current proposed guidance.”

He said the guidance will not really lighten the regulatory burden, because it seems no more than a “slightly cut-down – if that – version of the current approach to regulated outsourcing”.

He said the proposed guidance may be unrealistic or unfeasible, given the public cloud technological, operational, business and contractual model. “In fairness to the regulator, public cloud providers need to start stepping up as well – some are beginning to do so – to bridge the gap in approach.”